From: davidl at ngssoftware dot com Operating system: Redhat Linux PHP version: 4.3.10 PHP Bug Type: Scripting Engine problem Bug description: Safemode can be bypassed
Description: ------------ The swf_openfile function can be used to create files outside of open_basedir when safe mode is enabled. Reproduce code: --------------- <?php swf_openfile("/../../../../../../../../../../../../../../tmp/testswf.txt", 256, 256, 30, 1, 1, 1); swf_closefile(); ?> Expected result: ---------------- a file called testswf.txt will be created in /tmp Actual result: -------------- a file called testswf.txt will be created in /tmp -- Edit bug report at http://bugs.php.net/?id=31270&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=31270&r=trysnapshot4 Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=31270&r=trysnapshot50 Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=31270&r=trysnapshot51 Fixed in CVS: http://bugs.php.net/fix.php?id=31270&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=31270&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=31270&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=31270&r=needscript Try newer version: http://bugs.php.net/fix.php?id=31270&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=31270&r=support Expected behavior: http://bugs.php.net/fix.php?id=31270&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=31270&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=31270&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=31270&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=31270&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=31270&r=dst IIS Stability: http://bugs.php.net/fix.php?id=31270&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=31270&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=31270&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=31270&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=31270&r=mysqlcfg